[refpolicy] Fedora patch on tcsd. - Christopher J. PeBenito

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Fedora patch on tcsd.
Date: Tue, 15 Feb 2011 10:37:27 -0500	[thread overview]
Message-ID: <4D5A9DB7.2000502@tresys.com> (raw)
In-Reply-To: <4D51BCFF.70204@redhat.com>

On 2/8/2011 5:00 PM, Daniel J Walsh wrote:
> diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
> index 8a473e7..7fdda14 100644
> --- a/policy/modules/services/tcsd.fc
> +++ b/policy/modules/services/tcsd.fc
> @@ -1,3 +1,6 @@
> +/etc/rc\.d/init\.d/tcsd	--	gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
> +
>  /usr/sbin/tcsd		--	gen_context(system_u:object_r:tcsd_exec_t,s0)
> +
>  /var/lib/tpm(/.*)?		gen_context(system_u:object_r:tcsd_var_lib_t,s0)
>
> diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
> index e814f69..f7d6fa3 100644
> --- a/policy/modules/services/tcsd.if
> +++ b/policy/modules/services/tcsd.if
> @@ -1 +1,153 @@
>  ## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run tcsd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`tcsd_domtrans',`
> +	gen_require(`
> +		type tcsd_t, tcsd_exec_t;
> +	')
> +
> +	domtrans_pattern($1, tcsd_exec_t, tcsd_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	Execute tcsd server in the tcsd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_initrc_domtrans',`
> +	gen_require(`
> +		type tcsd_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Search tcsd lib directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_search_lib',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	allow $1 tcsd_var_lib_t:dir search_dir_perms;
> +	files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_read_lib_files',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Create, read, write, and delete
> +##	tcsd lib files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_files',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage tcsd lib dirs files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tcsd_manage_lib_dirs',`
> +	gen_require(`
> +		type tcsd_var_lib_t;
> +	')
> +
> +	files_search_var_lib($1)
> +        manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an tcsd environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`tcsd_admin',`
> +	gen_require(`
> +		type tcsd_t;
> +		type tcsd_initrc_exec_t;
> +                type tcsd_var_lib_t;
> +	')
> +
> +	allow $1 tcsd_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, tcsd_t)
> +
> +	tcsd_initrc_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 tcsd_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_search_var_lib($1)
> +	admin_pattern($1, tcsd_var_lib_t)
> +
> +')
> diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
> index f17dafd..30d2c75 100644
> --- a/policy/modules/services/tcsd.te
> +++ b/policy/modules/services/tcsd.te
> @@ -10,7 +10,9 @@ type tcsd_exec_t;
>  domain_type(tcsd_t)
>  init_daemon_domain(tcsd_t, tcsd_exec_t)
>
> -# /var/lib/tpm
> +type tcsd_initrc_exec_t;
> +init_script_file(tcsd_initrc_exec_t)
> +
>  type tcsd_var_lib_t;
>  files_type(tcsd_var_lib_t)
>
> @@ -23,26 +25,24 @@ allow tcsd_t self:capability { dac_override setuid };
>  allow tcsd_t self:process { signal sigkill };
>  allow tcsd_t self:tcp_socket create_stream_socket_perms;
>
> -# var/lib files for tcsd
>  manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
>  manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
>  files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
>
> -# Accept connections on the TCS port over loopback.
>  corenet_all_recvfrom_unlabeled(tcsd_t)
>  corenet_tcp_bind_generic_node(tcsd_t)
>  corenet_tcp_bind_tcs_port(tcsd_t)
>
>  dev_read_urand(tcsd_t)
> -# Access /dev/tpm0.
>  dev_rw_tpm(tcsd_t)
>
>  files_read_etc_files(tcsd_t)
>  files_read_usr_files(tcsd_t)
>
> -# Log messages via syslog.
> +auth_use_nsswitch(tcsd_t)
> +
>  logging_send_syslog_msg(tcsd_t)
>
>  miscfiles_read_localization(tcsd_t)
>
> -sysnet_read_config(tcsd_t)
> +sysnet_dns_name_resolve(tcsd_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

     prev parent reply	other threads:[~2011-02-15 15:37 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-08 22:00 [refpolicy] Fedora patch on tcsd Daniel J Walsh
2011-02-15 15:37 ` Christopher J. PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D5A9DB7.2000502@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.